Re: Hashes/Nonce Source and unsafe-inline

I agree with you on hash sources. I don't believe this is true for
nonce sources, since one of the use cases nonces support is including
scripts from URLs that you only know at runtime.


On 12 December 2013 16:00, Dionysis Zindros <> wrote:
> On Thu, Dec 12, 2013 at 3:34 PM, Devdatta Akhawe <> wrote:
>> Hi
>> [creating a separate thread since there were other discussions ongoing
>> in the other]
>>> 2. 'unsafe-inline' is disabled if either a hash or nonce is present.
>>>      [3]
>> Imagine a website that wants to control what external scripts are
>> loaded. The website uses inline  event handlers too. The hosts for
>> external scripts can be dynamic (e.g., it is on a CDN) and thus it
>> uses nonces to load them at runtime. In the new design, all the event
>> handlers would stop working. I am not sure this is what we want.
> Inline event handlers are insecure and prone to XSS, so we want to
> block them. There's no point in enabling both unsafe-inline and (hash
> or nonce) at the same time. The point of a hash or a nonce is to block
> all inline scripts except the ones whitelisted. Allowing inline
> scripts completely defeats the purpose of having hashes or nonces.
>> Thanks
>> Dev

Received on Friday, 13 December 2013 02:01:48 UTC